Open port 1023-65535
Fauzi Badron
Does suitable to open tcp port 1023 to 65535 for mail server at my
firewall?
Fauzi Badron
System Administrator
Sepakat Computer Consultant Sdn Bhd
_______________________________________________
Firewalls mailing list
Fire...@lists.gnac.net
http://lists.gnac.net/mailman/listinfo/firewalls
Fauzi Badron
Fauzi Badron (New Fauzi)
System Administrator
Sepakat Computer Consultant Sdn Bhd
----- Original Message -----
From: Tan Tshun Kiat <ta...@cwc.nus.edu.sg>
Date: Tuesday, April 23, 2002 8:59 am
Subject: Re: Open port 1023-65535
> Hi,
> TCP port 25 for SMTP is good enough. If it's POP, then 110. IMAP
> port 143.
>
> Regards,
> --
> Tan Tshun Kiat (Mr)
> Systems Administrator (Unix)
> Information Technology Group
> Institute For Communications Research
Aftarul Izam B. Basri
SMTP) thats all the port you should open. But if you run a complete Exchange
server which mean beside POP3/SMTP, also all its workgroup function like
journal, contacts list, public folders, then there will be few more ports
you should open. But for a better security, normally we don't allow external
people to access the workgroup function of Exchange only for POP3 and SMTP.
If they still want to access all function, better to go through VPN first at
then access Exchange workgroup function.
Izam
RHB KL
This message is intended only for the use of the person(s) to whom it is
addressed and may contain information that is privileged or otherwise
protected from disclosure.If you are not the intended recipient you are
hereby notified that any use, review, disclosure or copying of this message
and the information it contains is prohibited. If you receive the message in
error , please notify the sender by reply e-mail and discard all its
contents. Thank You.
Fauzi Badron
the workgroup function of Exchange.TQ
Aftarul Izam B. Basri
The best way to decide which strategy for your email/workgroup server is to
identify who and from where the user will be coming in to access the server.
It doesn't have to run vpn to let outside user access the workgroup. You can
use OWA so that external user use their browser(preferably using https) to
access all the workgroup function. This way you only configure your firewall
to allow port 443 from external to the OWA server.
*normally personally I don't recommend to put a full
blown(workgroup+pop3+smtp) exchange server even in a dmz zone.
Izam
Volker Tanger
Fauzi Badron wrote:
>
> Does suitable to open tcp port 1023 to 65535 for mail server at my
> firewall?
By definition a mail server only needs SMTP plus maybe POP or IMAP. But
I guess you're talking about a Microsoft Exchange server? MSX uses
Microsoft-RPCs (tcp/135 plus server-side-opened tcp/1024+) for data
exchange.
Two ways to handle this - best use both:
- if you use CheckPoint's Firewall-1: there you have RPC filters for
MSX. Use them if you can.
- set the RPC server port (i.e. the connection issued by the server) to
one fixed port. This way you only need to open one port in, not all
above 1024. See M$-KnowledgeBase articles Q155831 and Q148732 for
details. You may run into ressource problems with this if you have a
large number of clients, though.
In either case make REALLY sure that your MSX server is bastioned
against DoS attacks on the opened port. If possible, restrict the
acccess to this port to a limited number of addresses.
If you need to provide access for mobile users, try to find out the
IP-range your dial-in provider is using and restrict limit to that. For
this scenario personal VPNs would be a better solution though.
Bye
Volker
--
-------------------------------------------------------------------
volker...@discon.de discon GmbH
IT-Security Consulting Wrangelstrasse 100
http://www.discon.de/ 10997 Berlin, Germany
-------------------------------------------------------------------
PGP-Fingerprint: 5323 a4f7 a7c2 b8ef 4653 05ce d2ea 2b74 b94c c68e
Fauzi Badron
Fauzi Badron
System Administrator
Sepakat Computer Consultant Sdn Bhd
> > > > Does suitable to open tcp port 1023 to 65535 for mail server
> > at my
> > > > firewall?
> > > >
> > > > Fauzi Badron
> > > > System Administrator
> > > > Sepakat Computer Consultant Sdn Bhd
> > > >
> > > > _______________________________________________
> > > > Firewalls mailing list
> > > > Fire...@lists.gnac.net
> > > > http://lists.gnac.net/mailman/listinfo/firewalls
> > >
> > >
> > >
> >
> > _______________________________________________
> > Firewalls mailing list
> > Fire...@lists.gnac.net
> > http://lists.gnac.net/mailman/listinfo/firewalls
> > This message is intended only for the use of the person(s) to
> whom
> > it is
> > addressed and may contain information that is privileged or
> otherwise> protected from disclosure.If you are not the intended
> recipient
> > you are
> > hereby notified that any use, review, disclosure or copying of
> > this message
> > and the information it contains is prohibited. If you receive
> the
> > message in
> > error , please notify the sender by reply e-mail and discard all its
> > contents. Thank You.
> > _______________________________________________
> > Firewalls mailing list
> > Fire...@lists.gnac.net
> > http://lists.gnac.net/mailman/listinfo/firewalls
> >
> This message is intended only for the use of the person(s) to whom
> it is
> addressed and may contain information that is privileged or otherwise
> protected from disclosure.If you are not the intended recipient
> you are
> hereby notified that any use, review, disclosure or copying of
> this message
> and the information it contains is prohibited. If you receive the
> message in
> error , please notify the sender by reply e-mail and discard all its
> contents. Thank You.
Volker Tanger
Aqeel Ahmed Khan wrote:
> Nops, I am using NG and I must have to open upper ports other wise I am
> unable to get emails on my mail server. I have tried to avoid opening upper
> ports but ....
Just using CLIENTS -> SERVER - "MSExchange" - ALLOW does not work?
FW1 V.41 look good here. You may need name resolution (DNS or WINS), though.
Bye
Volker
--
-------------------------------------------------------------------
volker...@discon.de discon GmbH
IT-Security Consulting Wrangelstrasse 100
http://www.discon.de/ 10997 Berlin, Germany
-------------------------------------------------------------------
PGP-Fingerprint: 5323 a4f7 a7c2 b8ef 4653 05ce d2ea 2b74 b94c c68e
Aqeel Ahmed Khan
unable to get emails on my mail server. I have tried to avoid opening upper
ports but ....
----- Original Message -----
From: "Volker Tanger" <volker...@discon.de>
To: "Fauzi Badron" <fau...@sepakat.com.my>
Cc: <fire...@lists.gnac.net>
Sent: Monday, April 22, 2002 11:57 PM
Subject: Re: Open port 1023-65535
For Account Management (unsubscribe, get/change password, etc) Please go to:
http://lists.gnac.net/mailman/listinfo/firewalls